CVE-2020-13794

Name of the Vulnerable Software and Affected Versions Harbor versions 1.9.* through 2.0.*

Description The issue allows exposure of sensitive information to an unauthorized actor. Authenticated users can exploit an enumeration vulnerability in Harbor. The vulnerability is present in the "/users" API endpoint, which is supposed to be restricted to administrators. This restriction can be bypassed, and information can be obtained via the "search" functionality. Non-administrator users can list all usernames and user IDs by sending a GET request to "/api/users/search" with the parameter username and value .

Recommendations For Harbor versions 1.9.* through 2.0.*, update to either version 2.1.0 or 2.0.3 to fix this issue immediately. As a temporary workaround is not available, updating to the patched version is the recommended course of action.